Just as business critical as perimeter security, having strong internal controls to manage users is important. Using cloud-managed security tools can help reduce incidents. So much is written about the events outside your perimeter; those nefarious and shadowy individuals and offshore...

A recent article in Government Computer News raised the topic of FISMA reporting, specifically describing the “pessimism” of many USG agencies over meeting the September 2012 deadline for “using continuous monitoring to meet Federal Information Security Management Act reporting require...

When we aren’t fighting crime, taking over the world, or enjoying a good book by the fire, we here on the eEye Research team like to participate in the Any Means Possible (AMP) Penetration Testing engagements with our clients. For us, it’s a great way to interact one-on-one with IT fol...

In most organizations today, there is sensitive data that is overexposed and vulnerable to misuse or theft, leaving IT in an ongoing race to prevent data loss. Packet sniffers, firewalls, virus scanners, and spam filters are doing a good job securing the borders, but what about insider...

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) . Working as a Software Architect one of the main concerns we always have is Security. At an application level that can...

Quick Response (QR) codes are intended to help direct users quickly and easily to information about products and services, but they are also starting to be used for social engineering exploits. This article looks at the emergence of QR scan scams and the rising concern for users today....

Managing access to confidential information and application resources via firewalls is the foundation of network security, and firewall audits are central to any mature network security process. However, relying on security and network experts to review rules across multiple firewall z...

Companies across all industries are fighting to secure their proprietary and confidential data behind firewalls and complex passwords; unfortunately, the reality is that this data is most likely still slipping through the cracks. The introduction of employee-owned devices and the consu...

The purpose of this article is to describe some tools and techniques in performing the planning, scoping, and recon portion of a penetration test. In covering these tools and techniques the reader will learn how to use them to find vulnerabilities in their organization and help improve...

Joe Menn explores the current cyber-crime landscape, the underground cyber-gang movement, and the motive behind governments collaborating with organized crime in cyber space. Maybe you can make your enterprise a little trickier to get into than the other guy’s enterprise, but crime pa...

There are some technological concepts that simply go better together. Consider the cloud and information explosion; the cloud offers the potential for unlimited storage for a torrent of ever-increasing data. Another example is virtualization and IT agility; strategic virtualization imp...

We saw what typically happens when trying to use static rule-based log correlation to perform real-time incident management... combinatory explosion and lack of scalability. How do you automate non-deterministic attacks in a few discrete steps??? Today, we'll look at more scenarios fo...

In just the past year, the number of attacks are up, the costs associated with them are higher and more visible, and the risks of not securing systems and processes are therefore much greater. Some people have even called the rate of attacks a pandemic. The path to reducing these risk...

You’ve spent months fixing the red items on an internal audit report and just passed a regulatory exam. You’ve performed a network vulnerability assessment and network pen test within the last year and have fixes in place. You’ve tightened up your information security policy and recent...

In a recent blog post, Gary Sevounts, VP of marketing at Zetta, looks at the most popular offsite backup solutions for organizations with smaller budgets that can't afford a data center, but need their mission-critical data to be protected. Sevounts lists four options: tape, USB, mirro...

The goal of the scanning phase is to learn more information about the target environment and discover openings by interacting with that target environment. This article will look at some of the most useful scanning tools freely available today and how to best use them. During this proc...

The security community has a growing number of influential and important people, especially as the industry rises to meet the need to address more advanced security threats, such as targeted attacks. But how does a company in the security industry truly identify the influential people?...

The recent spike in insider threats, coupled with a rise in compliance considerations, has forced organizations to ensure only authorized users access sensitive application functionality and data. Historically, user entitlements or authorization logic has been embedded inside an applic...

How can all the players in a technology ecosystem gain assurances that the other participants are adhering to best practices and taking the proper precautions?

We are using the local port forwarding bound on a victim host so when we execute the route command and exploit internal hosts we can map them back to our initial victim, through the meterpreter connection and back to us. The Metasploit Framework is a penetration testing toolkit, explo...

Last week we saw that a proper Log Management tool is a powerful tool to catch the bad guys. Advertise your use of such a tool and you will send a clear signal to would-be attackers that they will be caught, which will act as a powerful deterrent, and curb bad behaviors. A 2004 study...

The OTTF’s purpose is to shape global procurement strategies and best practices to help reduce threats and vulnerabilities in the global supply chain. The framework outlines industry best practices that contribute to the secure and trusted development, manufacture, delivery and ong...

This is really not about adding some security band-aid onto a technology or a product. It's really about the fundamental attributes or assurance of the product or technology that’s being produced. The OTTF is a group that came together under the umbrella of The Open Group to identify ...

The major theme of this year’s RSA Conference is, guess what, security. This is the largest security show of the year, and its clearly a big deal, since it covers both sides of the Moscone Center in San Francisco. As of 10 a.m. on Monday, preparations are still being made. The show off...

As enterprises struggle to remain profitable in an ever-changing risk environment, the current economic crisis has elevated the need for effective business risk management. Information security is a key parameter that affects business risk. The academic definition of information securi...

The WikiLeaks security fiasco has shed a lot of light on document security and its inherent irony: namely that the more confidential a document is, the more it’s likely to be shared. Web Security Journal reached out to the CEO of Brainloop, Peter Weger, to discuss the notion of so-...

Over the next few weeks, we'll investigate how the expression "An ounce of prevention is worth a pound of cure" could also be applied to the IT world, and what are the tools to foster preventive security through behavior modification. When looking at IT security, it seems that most of...

Users are the weakest link when it comes to information security. Without intending to, they cost more money in security breaches than outside hackers. This is why all regulations require the demonstration of strong access security. But focusing purely on regulatory compliance proofs a...

There's been a flurry of discussion this week among Internet and Web standards heavy-hitters around WebSocket, the new communications protocol supported in Chrome 4 and Safari 5. What was the main issue? Is there some kind of fundamental security vulnerability with the WS protocol? Web...

Right before Christmas, the White House tapped Microsoft’s long-ago chief security officer, the CEO of the non-profit Information Security Forum Howard Schmidt as head of US cyber security. Despite the national priority, between pressure from US companies and reported infighting am...

I had a different name for this blog entry but just ‘Jump Drive’ is an awful blog title. They go by many names; jump drive, USB drive, flash drive, memory stick and a few others, but removable media is a serious threat to IT organizations. Graduating from floppy disks, as early as 20...

Joe McKendrick kicks off a thread on the current state of SOA Security. As usual, most discussion of SOA Security applies to "how SOA can be made secure". This is understandable. And, as some commentators have pointed out, there is a body of Best Practice out there on how to secure ser...

You don't have to be a chief information officer to realize that security is becoming a corporate concern as more business is transacted on the Web. The mounting fears are well founded. Web attacks are growing in sophistication. Data is flowing faster and to more applications and more ...

There are many reasons why a data security strategy could self-destruct, not the least of which is a new breed of highly motivated data thieves who stand to make a considerable profit on customer and other sensitive information in data centers. We're often so mired with putting out dat...

Layer 7 Technologies announced its go-to-market partnership with Steria Benelux. Steria will act as a channel partner for Layer 7's SOA gateway products in Belgium to offer leading SOA security, governance solutions and support to its current and prospective customers.

Spending time with my parents over the holidays got me thinking about the differences between this generation and the previous one. My parents expect to spend a certain amount of time and effort managing certain aspects of their lives. For example, when they drive to an unfamiliar vaca...

Composite applications are made up of discreet services that have been tried and proven reliable, but building an orchestration that incorporates services that come from several sources, some of them outside of the company, could introduce testing hazards beyond just bad output. For ex...

Is SOA ready to move from the whiteboards and into production IT? As you might have guessed, the answer remains a disappointing sort of. The issue comes down to tools and infrastructure, and the fact that only some SOA components are mature and easy to source.

As the name suggests, a Service Oriented Architecture is one where application functionality is packaged as autonomous services that adhere to industry standard interfaces (WSDL, SOAP), and the services are then deployed in an IT architecture that makes for their most effective use. T...

When SOAP-based Web Services solutions began appearing five years ago, one of the major challenges was securely propagating end-user identity in Web Service chaining scenarios. Certainly a user could authenticate to a portal, and that portal could talk to a Web Service that talks to an...